Unsafe or Blank attribute value for attribute or The following record does not have a username Error when Syncing a Directory
Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
Synchronisations in Confluence do not complete successfully.
The following appears in the atlassian-confluence.log
:
2013-01-26 21:25:59,436 INFO [http-8090-7] [directory.ldap.util.DirectoryAttributeRetriever] getValueFromAttributes Unsafe or Blank attribute value for attribute <mail>: ''.
2013-01-26 21:25:59,436 ERROR [http-8090-7] [ldap.mapper.entity.LDAPUserAttributesMapper] getUsernameFromAttributes The following record does not have a username:
{ ... < a user object with all attribute > ...}
The attribute <mail> above represents the attribute being used for the username. This can be any attribute.
You may also see this in the logs:
2013-01-26 22:12:24,144 ERROR [scheduler_Worker-2] [ldap.mapper.entity.LDAPUserAttributesMapper] getUsernameFromAttributes The following record does not have a username:
Cause
This is caused by records in the LDAP which have either empty or non-existent attributes for the attribute defined as the username. Eg, you may set username to 'cn' in Confluence; the sync will fail in the above manner if it encounters a record which either does not have a cn attribute, or where the cn attribute does not contain a value. This is more likely to occur with attributes like 'mail' that may not be required by the LDAP structure.
Resolution
- You can configure the directory to limit the objects that are synchronised, by setting advanced schema settings (instructions are here: Connecting to an LDAP Directory), or by using LDAP search filters.
- If you cannot limit the sync to exclude the invalid objects, you will need to clean the data in your LDAP directory. You must ensure that the attribute you are using for the username:
- Is unique across the LDAP directory - you cannot have two records with the same username
- Is a required field in the LDAP directory - you cannot have blank usernames
- Is not a space or newline character - this is invalid but will still be returned by (attribute=*)
- Is singular in the LDAP user object - you cannot use an attribute that can have multiple entries in the one object. Eg, if you have multiple 'cn' attributes in an object, such as cn=Elizabeth and cn=Beth, you must choose another attribute to use for the username.
- Alternatively you can use an Internal Directory with LDAP Authentication. This type of directory does not synchronise but simply checks/adds users as they attempt to log in.